[00:02.110 --> 00:06.130]  Welcome to DEF CON 28, the safe mode edition.
[00:06.130 --> 00:11.450]  You're watching a video, or a talk, by H2C Village.
[00:11.450 --> 00:14.550]  And this is provided to you from Obi-Wan 666.
[00:14.930 --> 00:17.830]  Yeah, let's talk about Swimming IoT.
[00:18.250 --> 00:21.150]  An IT and OT overview.
[00:21.270 --> 00:26.070]  But, yeah, it's better without that mask.
[00:26.550 --> 00:28.990]  So, I don't expect anything here.
[00:28.990 --> 00:30.990]  So, let's go.
[00:31.830 --> 00:34.550]  Yeah, what will we listen to today?
[00:34.550 --> 00:38.130]  We have a short introduction over me.
[00:38.130 --> 00:44.110]  Then we get an overview of IT and OT systems on a yacht.
[00:44.270 --> 00:47.710]  Then we look a little bit deeper into the bridge network.
[00:47.710 --> 00:52.490]  How the bridge network is working and how some messages are transmitted.
[00:53.570 --> 00:57.710]  So that's more the details in the Actis Technical 101.
[00:57.710 --> 01:03.170]  So, how is an Actis network working and how the messages are transferred.
[01:03.170 --> 01:10.410]  How would it look like and what will be the outlook for, let's say, the next year until the next DEF CON.
[01:11.510 --> 01:14.550]  Hopefully, back in Vegas then.
[01:15.470 --> 01:16.970]  Yeah, why hacking yachts?
[01:17.750 --> 01:20.950]  Accidentally, I slipped into this topic.
[01:21.530 --> 01:23.590]  So, my boss owns one.
[01:23.590 --> 01:28.590]  And I was able to build some devices on the ship.
[01:28.590 --> 01:31.650]  And then I started to look at them.
[01:33.410 --> 01:41.870]  So, mostly they are privately owned and chartered by private people.
[01:42.590 --> 01:47.790]  And CEOs are running their business from yachts while they are traveling.
[01:47.790 --> 01:54.890]  So, the best office that you can have is away from everyone else.
[01:54.890 --> 01:59.430]  So, it's not crowded anyhow. So, you have your safe place.
[01:59.430 --> 02:05.050]  And you can do the business from your office on the water.
[02:05.130 --> 02:08.650]  So, it's a nice place to work from.
[02:08.650 --> 02:14.090]  And all the celebrities, they are using also yachts.
[02:14.290 --> 02:20.890]  And showing off on the famous places in the world and make their Insta-stories and so on.
[02:20.890 --> 02:31.410]  So, if you maybe have access to a yacht where a celebrity is on, then you can do maybe some other things with that information.
[02:33.070 --> 02:44.470]  So, the thing is then, if we have control over the yacht, the internet access for example or all the smart devices or the IT or the OT network that is on board.
[02:44.710 --> 02:49.190]  So, what we will have there, we will see in this presentation.
[02:49.190 --> 02:55.450]  So, my name is Stephan Gehring. I am also named Obiwan666.
[02:55.450 --> 02:59.030]  Older than the internet, as always.
[02:59.590 --> 03:09.970]  I have a couple of certifications like GCFA, CISSP, Microsoft Certified System Engineer, CCNA by Cisco and a couple of others.
[03:09.970 --> 03:14.990]  So, some of them are not maintained anymore.
[03:14.990 --> 03:21.910]  So, the one that I... my favorite one is the CISSP.
[03:21.910 --> 03:26.490]  OSCP is the next one I maybe will start on, but yeah.
[03:26.850 --> 03:29.830]  So, my background is an electronic specialist.
[03:29.830 --> 03:36.410]  I was working in the German aviation army on navigation systems for helicopters.
[03:36.410 --> 03:45.350]  And also 32 years now volunteer firefighter in my city here in beautiful Lingen.
[03:46.030 --> 03:49.890]  Yeah, I volunteer also in a couple of groups.
[03:49.890 --> 03:55.810]  So, Graffel is one of the things. It's a group of nerd hackers.
[03:57.030 --> 04:00.770]  Yeah, from around Europe you can say.
[04:00.770 --> 04:04.890]  I'm the Calvary Project I'm also working on.
[04:04.890 --> 04:15.330]  Then we have an AG Kritis. It's an NGO on critical infrastructures and also for the CCI.
[04:18.370 --> 04:21.270]  Yeah, what kind of networks do we have on board?
[04:22.230 --> 04:29.390]  Yeah, so I've counted a little bit. So, I found five different networks that we can have.
[04:29.390 --> 04:31.250]  So, it's on the IT network.
[04:31.250 --> 04:37.190]  We have the IT network and we have the wireless network as one.
[04:38.170 --> 04:43.110]  And then we have a couple of more networks when we look at the OT side.
[04:44.110 --> 04:48.490]  So, you can say the bridge network is an own network.
[04:48.690 --> 04:59.630]  So, all the navigation system and so on, everything what's needed for the operation of the ship is on the bridge connected together.
[04:59.630 --> 05:01.830]  So, I call it the bridge network.
[05:02.250 --> 05:05.770]  So, then we have an NMEA network or the NMEA bus.
[05:05.770 --> 05:09.630]  So, we will see a little bit what kind of system is that.
[05:09.810 --> 05:16.190]  Then we have an ICS network where all the PLCs and something else is connected to it.
[05:16.190 --> 05:23.630]  And yeah, the KNX or Instabus, you can say it's also a network.
[05:24.010 --> 05:29.890]  You can count it to the ICS network, but it can also count it to the IT network.
[05:29.890 --> 05:34.520]  So, I have it putting here as an additional one.
[05:34.770 --> 05:42.090]  So, I've counted here six, but yeah, it's five networks, maybe more.
[05:43.950 --> 05:54.090]  GSM is not explicitly here in or the satellite network that we are already on seven when we counted also.
[05:54.810 --> 05:57.770]  Okay, what have we? IT and OT.
[05:59.290 --> 06:03.590]  Yeah, you think now yachts, what could be on there?
[06:05.450 --> 06:12.410]  I say it's a swimming IoT device because there are so many systems on board that are connected together
[06:12.410 --> 06:16.870]  and most of them will have also internet connection.
[06:17.110 --> 06:22.590]  And from that point of view, so we have an ICS network and we have an IT network
[06:24.030 --> 06:27.190]  with maybe VPN connections to offices and so on.
[06:27.190 --> 06:32.390]  And everything is working from this small vessel.
[06:34.110 --> 06:39.610]  In detail, we have there, for example, the VTS, the Vessel Traffic Service.
[06:40.110 --> 06:43.450]  We have Automatic Identification System, the AIS.
[06:43.450 --> 06:50.470]  We have autopilot, we have GPS, we have radar, we have cameras, also thermal cameras.
[06:50.470 --> 06:57.250]  We have engine control and monitoring units that's in the ICS network.
[06:57.250 --> 07:01.750]  Some of them are more and more cloud-based or cloud-connected now
[07:01.750 --> 07:12.070]  so that you have access over your cloud-based devices on the engine control or the engine monitoring systems.
[07:12.070 --> 07:13.930]  The control, that's a bad idea.
[07:14.850 --> 07:20.030]  And we have internet access for the guests, for the crew and for the owner.
[07:20.350 --> 07:27.250]  And a couple of entertainment systems that are also connected over various systems together.
[07:27.250 --> 07:33.490]  So all of those things in the network view, we will see a little bit later now.
[07:33.790 --> 07:39.350]  Over a couple of things, I have already given some talks.
[07:41.070 --> 07:44.450]  So I will sometimes use it as a reference.
[07:45.190 --> 07:49.590]  So for the basic overview, we have the NMEA network here.
[07:49.630 --> 07:51.520]  So it's a bus system.
[07:52.190 --> 07:55.510]  In the old days, it was a serial bus.
[07:55.510 --> 08:01.430]  And it is going completely through the whole ship.
[08:01.710 --> 08:07.550]  And it's connected with taps to the devices.
[08:07.670 --> 08:11.630]  So this is an old serial system.
[08:12.810 --> 08:20.810]  The connections look a little bit like the 10BASE2 connectors or the cheaper net from the old days.
[08:20.810 --> 08:23.230]  And everything is connected to that.
[08:23.230 --> 08:27.440]  It's not that fast. It's only 4800 baud speed.
[08:27.970 --> 08:32.520]  And it's, as I already said, a serial communication protocol.
[08:32.970 --> 08:42.250]  And it connects the echo sounder, sonars, anemometers, gyros, autopilots, GPS and something else.
[08:42.250 --> 08:45.330]  There are a couple of devices more.
[08:45.490 --> 08:48.330]  Then we have the NMEA2000.
[08:48.330 --> 08:53.710]  This is already a CAN bus, a standard CAN bus technique.
[08:54.130 --> 08:57.350]  And we can operate already with one megabit.
[08:59.590 --> 09:02.570]  It's fast, but not that fast.
[09:02.570 --> 09:07.210]  For more and more applications, we need now faster networks.
[09:07.510 --> 09:14.090]  So the next generation is then, for example, Rainmarine calls them the SeaTalk-NG.
[09:14.090 --> 09:22.850]  So this is also a CAN bus system.
[09:24.030 --> 09:29.510]  But Rainmarine calls it, we call it SeaTalk-NG, next generation.
[09:30.030 --> 09:32.410]  But it's the same like NMEA2000.
[09:33.390 --> 09:37.090]  But the new version is SeaTalk-HS.
[09:37.770 --> 09:40.710]  So HS is for high speed.
[09:40.710 --> 09:47.890]  So this is a 10 megabit Ethernet network, where, for example, here you see in the pictures,
[09:48.290 --> 09:52.070]  some camera devices and navigation systems are connected together.
[09:52.910 --> 10:01.770]  Six is, for example, part of the bridge network, from the glass bridge series and so on.
[10:01.830 --> 10:04.630]  And all the devices are connected together.
[10:06.690 --> 10:10.070]  Then we have a couple of IT equipment on board.
[10:11.190 --> 10:15.510]  And you would think now, yeah, what could be on there?
[10:15.930 --> 10:20.690]  Well, the bigger the ships are, the more equipment is on it.
[10:20.970 --> 10:26.030]  So the first listing that I have here is from a 30 meter yacht.
[10:26.470 --> 10:31.770]  30 meter is not that much, but it's already a big one.
[10:33.090 --> 10:40.010]  So here we have a half size rack, completely full with IT equipment.
[10:40.350 --> 10:42.270]  So we have a router.
[10:42.530 --> 10:45.170]  We have some servers, three in total.
[10:45.170 --> 10:48.190]  We have two voice over IP gateways.
[10:48.690 --> 10:58.130]  We have a fully equipped 84 port switch.
[10:58.950 --> 11:03.850]  And we have an uninterruptible power supply for that.
[11:05.590 --> 11:10.690]  In total on that trip, we had 10 smart TVs and sat receivers.
[11:10.690 --> 11:19.090]  We had a sharp PC, 14 voice over IP telephones, internet router, UPS and four access points for the Wi-Fi.
[11:20.550 --> 11:26.190]  This is from a 48 meter yacht.
[11:26.190 --> 11:29.750]  So this is already a complete full rack.
[11:29.750 --> 11:34.050]  And there is a second rack full of additional stuff.
[11:34.050 --> 11:46.210]  And in each cabin is also a small rack with the entertainment systems and AVR system, the amplifiers and that stuff.
[11:46.590 --> 11:49.870]  So that's in each cabin, also in extra housings.
[11:50.810 --> 11:56.170]  And this one was from a 70 meter yacht class.
[11:56.170 --> 12:00.430]  Here you see already two complete full equipped racks.
[12:00.430 --> 12:03.870]  And there is a third one with a navigation system rack.
[12:03.870 --> 12:15.070]  So it's in total on that ship already three full stacked 42 inch network racks, you can say.
[12:16.730 --> 12:27.070]  And we had for that ship already around 25 access points, for example, to have a Wi-Fi coverage over the complete board.
[12:28.990 --> 12:37.210]  To get an idea about what the network on the AV equipment looks like, so audio and video network.
[12:37.210 --> 12:41.010]  So here you see it's connected to the IP network.
[12:41.010 --> 12:45.390]  There is a Crestron device that's connecting to everything.
[12:45.390 --> 12:49.050]  So the smart TVs are connected on the IP side.
[12:49.050 --> 12:54.410]  No, they are not connected on the IP side.
[12:54.410 --> 12:58.290]  They are only connected on the video side to the Crestron.
[12:58.350 --> 13:03.930]  The Crestron is the multimedia device that is connected to the IP network.
[13:03.930 --> 13:05.630]  So it's a little bit different.
[13:07.210 --> 13:13.470]  But there is also an Apple TV and such receivers that you will see there.
[13:13.470 --> 13:18.090]  So we have the Blu-rays, Apple TV and the Crestron system itself.
[13:18.090 --> 13:21.590]  And they have also different connection types.
[13:21.970 --> 13:29.250]  You will see it on the chart with different colors and well documented in this one.
[13:29.970 --> 13:33.250]  We have also additional other things.
[13:34.450 --> 13:38.670]  Most of the equipment you can access with a tablet.
[13:39.010 --> 13:43.890]  So you have a tablet on board where you can connect to the audio and video streaming.
[13:43.890 --> 13:46.270]  You can stream music on your tablet.
[13:46.270 --> 13:58.390]  You can use the tablet and say in the cabin, OK, now I want to have the audio to the amplifier to listen to the audio system on my room where I'm currently in.
[13:58.390 --> 14:11.570]  Or you go into the gym where you have flat TV screens in the ceiling where you can watch to the news or listen to music or whatever.
[14:11.570 --> 14:17.030]  Or have multimedia training system then on there.
[14:17.030 --> 14:27.610]  So you are cycling on your bicycle and you see a video of virtual reality where you are cycling.
[14:27.610 --> 14:34.870]  You have also other things like light control where you can switch on the lights on and off.
[14:35.450 --> 14:39.690]  The electric curtains, you can lever them up and down.
[14:40.290 --> 14:45.610]  You have, for example, an engine monitor, a rudder monitor and so on.
[14:45.610 --> 14:49.730]  So everything is accessible, for example, over the tablet.
[14:50.990 --> 14:54.530]  On the OT side we have a couple of other things.
[14:55.270 --> 15:01.670]  One of the monitoring systems is the engine monitoring and control system.
[15:01.670 --> 15:13.290]  Also the propulsion boat thruster, the KNX system for the light control, the PLCs, the valve controls and so on.
[15:13.290 --> 15:18.830]  So it's a whole bunch of systems on the OT side that we have connected.
[15:22.170 --> 15:32.130]  To get an overview of the OT, I have a couple of pictures of that that you get a feeling about what you will see.
[15:32.570 --> 15:39.630]  So you have all those engines that are connected to, mostly two engines that you have on that.
[15:39.690 --> 15:44.070]  Then you have two or three power generators that are connected.
[15:44.070 --> 15:53.090]  You have a couple of heat sensors, water sensors, sensors for how many fuel is in there and so on.
[15:53.090 --> 15:59.310]  The HVAC control, water distribution, pumps and valves and so on.
[15:59.830 --> 16:05.970]  For example, this is only the diagram of an engine control unit.
[16:05.970 --> 16:14.870]  So you have the engines with all the sensors. It's connected to, in this case, it's an AutoMask N400.
[16:15.630 --> 16:21.110]  The last year when I was on, there was also an AutoMask N400 control unit on it.
[16:21.110 --> 16:26.290]  And the engine is connected to the engine control unit.
[16:26.290 --> 16:34.610]  There is a special safety unit, the SCU, and everything is connected with different links together.
[16:34.610 --> 16:40.130]  And at the end, it's everything connected to the Ethernet network.
[16:40.130 --> 16:52.830]  So there is the Ethernet switch and also connections maybe to the Modbus or other bus systems that you will find here, that I have shown here.
[16:53.850 --> 17:02.430]  So this is then the picture of an engine control room where the ETO is sitting.
[17:02.430 --> 17:06.090]  The ETO is the electrical technical officer.
[17:06.470 --> 17:13.890]  And so mostly at yachts, 60, 70 meters or that, there you have an ETO.
[17:13.890 --> 17:21.630]  Below that, the technical officers, they are in charge for that.
[17:21.630 --> 17:25.710]  But on bigger ships, you have a dedicated person for that.
[17:26.190 --> 17:31.530]  And then you have the different monitor systems where you can see all the kinds of things.
[17:31.530 --> 17:36.350]  So here we have a monitor of the engines.
[17:36.350 --> 17:39.230]  So the port engine and the starboard engine.
[17:40.490 --> 17:45.810]  This is an overview of the ICS network itself.
[17:45.810 --> 17:53.630]  So how it is connected, how many PCs are in the network, how many PLCs systems are there and so on.
[17:53.630 --> 18:02.150]  So this is, in this case, an overview of how many systems are there and where I will find it.
[18:03.190 --> 18:08.670]  You have here on the right side, for example, main cabinet, remote rack and so on.
[18:08.930 --> 18:14.190]  Also, a PC client in the D-net or Dynet.
[18:14.630 --> 18:19.170]  This is where the crew is sitting.
[18:19.750 --> 18:21.650]  There is an extra monitor.
[18:21.650 --> 18:28.570]  You have clients on the bridge, on the starboard side and on the port side.
[18:28.750 --> 18:37.890]  For example, in the captain's cabin, there is also a connection so that the captain, when he is at rest, he has also access to all of those systems.
[18:40.150 --> 18:53.810]  And yeah, this is one of the computers that are connected to the monitors and that are connecting or getting all the information from the PLCs, for example.
[18:54.570 --> 19:01.870]  And here on the right, you see also a big silver thing. I'm not sure if my mouse is here.
[19:01.870 --> 19:06.130]  So this device is the network connection.
[19:06.130 --> 19:11.350]  So in this case, the complete PLC network is separated.
[19:12.390 --> 19:16.870]  I've seen also some other ships where this connection is active.
[19:16.990 --> 19:27.270]  So this owner or this crew has decided, OK, when we don't need it, we pull the plug to the normal network so nothing is connected on that side.
[19:27.270 --> 19:28.350]  Very good decision.
[19:28.350 --> 19:35.590]  And when they need remote assistance, then they put a network cable into the normal hub or normal switch.
[19:35.590 --> 19:46.370]  And then they can give remote access for the maintenance people that they have remote visibility or maybe can do some remote tasks on that.
[19:47.610 --> 19:55.210]  This, for example, is one of the racks where the complete PLC system is.
[19:55.210 --> 20:01.430]  This is a full rack of Siemens PLCs with all the subunits of that.
[20:01.930 --> 20:09.410]  And here you see some kind of fuel tanks and how many fuel is in which tank.
[20:09.430 --> 20:19.970]  And also you can access all the valves for the fuel tank that you can pump fuel from one tank to another one to balance the ship with that.
[20:20.950 --> 20:24.650]  So this is an HMI unit, for example.
[20:24.650 --> 20:34.050]  And this is one area where you maybe have to open a door for the garage or for the bath platform or whatever.
[20:35.170 --> 20:38.610]  So there are some HMI units also for that.
[20:39.970 --> 20:42.530]  And this is from another ship.
[20:42.530 --> 20:50.230]  Even here you see the main PLCs, the rudder, the ECR and so on.
[20:50.230 --> 20:54.670]  And also some other connections where we connect together.
[20:54.950 --> 21:05.830]  So here you see already also a serial connection where the sensors are connected and also the network layout of that.
[21:06.450 --> 21:13.730]  So this is a different system, a different ship with a different view on the things.
[21:13.730 --> 21:17.470]  But in general they are doing more or less the same.
[21:19.230 --> 21:24.950]  Here we have other systems. Here is more or less AVB stuff connected.
[21:24.950 --> 21:31.650]  Here we have also a KNX for the light controls and so on.
[21:31.650 --> 21:36.830]  So this is one of the connection boards where everything is connected together.
[21:37.050 --> 21:41.170]  So this is from the electrical point of view one of the nice things.
[21:42.590 --> 21:49.910]  This is another in the bridge, under the bridge or behind the bridge you can say.
[21:49.910 --> 21:55.630]  So the bridge panel is on the right one, the brown thing.
[21:55.630 --> 22:04.130]  And on the left one, the open thing that you see here with the wires, that is from the PLC network.
[22:04.290 --> 22:11.590]  And you see in the middle two network devices that belong to the bridge network.
[22:11.590 --> 22:14.230]  So that we will have a closer look at later.
[22:16.270 --> 22:31.710]  So this is then also the connections where another rack is with some PLC stuff and connecting the information from the systems.
[22:31.930 --> 22:39.110]  And here we have another connection system. So everything is connected over Ethernet together.
[22:40.850 --> 22:43.450]  What kind of attack records we have there?
[22:43.930 --> 22:49.910]  So this is a network diagram that I have wrote or painted.
[22:51.350 --> 23:00.150]  And I think I have to adjust it a little bit because there are a few things that are now missing when I look at it.
[23:00.150 --> 23:10.530]  But in general, we can say we can attack the systems over the Internet, for example, if we have access to the Internet router.
[23:10.710 --> 23:23.650]  In my last year talk, I have shown how to bypass authentication, for example, on an Internet router model with the vulnerabilities there.
[23:23.650 --> 23:31.450]  And also on the satellite systems where I had also access over the satellite modems to the network.
[23:32.450 --> 23:40.610]  Of course, you can plant malware on the crew PCs or the captain PC or the owner PC or whatever.
[23:40.610 --> 23:44.330]  Then you have access, for example, on that.
[23:45.170 --> 23:57.390]  The personal digital assistant devices of the crew or the owners is also another point where you can plant malware or where you can start with your attacks.
[23:58.270 --> 24:11.670]  And another interesting point is then once you have access on the Internet side, you have to dig for a gateway, for example, the NMEA gateway.
[24:11.670 --> 24:17.650]  So the NMEA gateway is often a bidirectional gateway.
[24:17.670 --> 24:27.330]  When you have access to that gateway and can plant NMEA messages on that device, you can interact also with NMEA messages on it.
[24:27.330 --> 24:32.830]  But yeah, these were points of my previous talk.
[24:34.210 --> 24:42.050]  And on the PLC network itself, you have a couple of other attack things that you can do.
[24:43.430 --> 24:48.910]  Okay, the bridge. We have seen already a couple of OT pictures.
[24:49.890 --> 24:52.450]  Now we look a little bit more on the bridge.
[24:52.450 --> 24:55.810]  So this is a bridge from a 70 meter class.
[24:56.570 --> 25:05.170]  You have seats for two captains, but only one rudder in the middle of the ship.
[25:05.310 --> 25:08.930]  So two people can sit there and do their job.
[25:09.390 --> 25:14.370]  And they have access to a couple of systems and monitors that you can see here.
[25:15.090 --> 25:18.090]  I will not go in detail on the systems.
[25:18.090 --> 25:26.190]  You have the OT monitoring devices. You have all the normal things to operate a ship.
[25:26.410 --> 25:29.790]  And you have the navigation things that you need there.
[25:31.770 --> 25:37.830]  Another side view of that. So it looks very nice there. It's a good place to work.
[25:38.770 --> 25:44.990]  The view from the front, from the night. So it looks a little bit like a Star Wars ship.
[25:46.270 --> 25:47.950]  I love that view.
[25:49.090 --> 25:54.190]  This is from a 45 meter yacht from the inner view.
[25:54.190 --> 26:03.930]  Here you have only one seat for the captain, but also a couple of monitors you will see here.
[26:03.930 --> 26:10.250]  And where you will find all your necessary information to operate the ship in a safe manner.
[26:12.290 --> 26:19.910]  Here on the left the monitor is already switched on. I switched on the ECTIS so that I can test some devices.
[26:20.130 --> 26:24.230]  Later I had also the S-band and X-band radar on.
[26:25.270 --> 26:29.690]  So I switched on only the system, but it was not translating a radar echo.
[26:29.770 --> 26:32.970]  So radar in a harbor is not a good idea.
[26:34.110 --> 26:36.990]  But you can switch on the system itself.
[26:38.070 --> 26:42.450]  It's then in standby, but you will see the network messages.
[26:44.990 --> 26:51.310]  So this is my working place when I'm looking at the yachts.
[26:52.670 --> 27:05.050]  It looks nice, but sometimes the AV is not on.
[27:05.050 --> 27:08.150]  So you have not that cool temperature there.
[27:08.150 --> 27:16.690]  When you have outside above 30 degrees, sometimes the climate control is not working.
[27:16.690 --> 27:20.750]  So it becomes hot on the bridge when they do their tests.
[27:20.750 --> 27:24.410]  But in general it's a nice place to work.
[27:25.110 --> 27:27.250]  I love that kind of audits.
[27:28.930 --> 27:34.670]  So this is an overview that I found in the ECTIS installation guide.
[27:34.670 --> 27:38.750]  For example from the Transas and NaviSailor MD4000.
[27:39.070 --> 27:41.390]  They have a nice overview about it.
[27:41.390 --> 27:45.230]  You have here two screens on the left and the right side.
[27:45.270 --> 27:51.730]  And they are connected together so you can switch from one ECTIS to another.
[27:51.730 --> 27:54.350]  And all the information you can also switch.
[27:55.410 --> 28:00.950]  It's in the documentation. You can find it in the link I have put in my slides here.
[28:00.950 --> 28:03.510]  So that you can put a look in.
[28:03.510 --> 28:08.130]  It's more than 200 slides presentation for that.
[28:08.470 --> 28:13.690]  But it's very nice to read because it is very detailed.
[28:13.710 --> 28:22.810]  You can see how the datagrams are configured on the network.
[28:22.810 --> 28:27.910]  That we will need later for Wireshark modules.
[28:31.430 --> 28:36.650]  Here we have the network diagram in an overview.
[28:36.870 --> 28:47.170]  And here we go a little bit more detailed in the DCU, the battery pack, the UPS, the keyboard, the monitor and the computer system itself.
[28:47.170 --> 28:49.670]  And what kind of connections you have there.
[28:49.670 --> 28:55.370]  Where it is going. For example you see here the S-Band radar connector.
[28:55.370 --> 28:57.330]  There is a special board for that.
[28:58.030 --> 29:00.230]  Here is another picture of that.
[29:01.310 --> 29:05.790]  Here we have the X-Band and another one is the S-Band radar.
[29:06.750 --> 29:08.530]  How it is connected.
[29:10.390 --> 29:13.750]  In reality it looks a little bit more crowded like this.
[29:13.750 --> 29:20.410]  You open the cabinets and then it looks like sometimes a little bit like a mess.
[29:20.930 --> 29:24.190]  But yeah, it is working.
[29:24.450 --> 29:33.870]  So this is pictures from the... I must think it's the 30 Meteor Yacht.
[29:34.350 --> 29:42.690]  Yeah, that's from the 30 Meteor Yacht where I made my first holiday and got recordings from that.
[29:43.590 --> 29:45.850]  This is then the PC.
[29:46.370 --> 29:50.430]  That's for the navigation system.
[29:50.810 --> 29:56.390]  So you think you have a navigation system with the electronic chart system.
[29:56.390 --> 30:00.670]  So in general it is a Windows computer.
[30:01.290 --> 30:10.870]  Windows computer with Windows software where you have your digital navigation charts on it where the navigator is navigating through the sea.
[30:10.890 --> 30:12.190]  That's it.
[30:14.090 --> 30:17.350]  It's connected with a hub and so on.
[30:18.350 --> 30:27.210]  But when you now think about, okay, let's do an NMAP scan on the bridge network, I say think twice about it.
[30:27.590 --> 30:32.470]  It's very legacy old stuff that you sometimes have.
[30:34.650 --> 30:40.210]  On the 30 Meteor Yacht where I was on, it was a transit system.
[30:40.210 --> 30:49.130]  The ship was 9 years old and the transit system at that time was a Windows XP embedded system.
[30:49.890 --> 30:58.990]  And you can imagine, 9 years, not connected to the internet, no patches, no updates, nothing.
[30:59.050 --> 31:00.630]  And it's still running.
[31:01.770 --> 31:08.090]  So that was a point for me, okay, I don't make an NMAP scan on that network.
[31:08.090 --> 31:13.710]  I passively connect to that and to see what's on the wire.
[31:14.270 --> 31:26.210]  So I take in this case my Linux PC, it's a Kali Linux in that case, and configure my network interfaces to passively monitor the network.
[31:26.210 --> 31:31.350]  And later we will look a little bit deeper in that how it is looking like.
[31:31.350 --> 31:40.630]  So on the left you see my laptop connected and the bigger screen is already one of the datagrams you see there.
[31:40.690 --> 31:48.010]  I will come later in the wire clamp demo where we can see a little bit more.
[31:48.950 --> 31:53.270]  Then we have the Actis system itself.
[31:53.270 --> 32:01.910]  So the Actis, it's the short abbreviation version of electronic chart display and information system.
[32:02.030 --> 32:06.010]  In the past we had paper charts for navigation.
[32:07.010 --> 32:11.190]  Also we are using a sync stand and a compass and whatever.
[32:11.510 --> 32:14.520]  Compass is still there, GPS is also there.
[32:14.970 --> 32:20.690]  But we need also electronic charts, so it's called ANGS.
[32:20.690 --> 32:32.270]  So the thing is, under the IMO regulations it is now allowed that you don't need any paper charts anymore.
[32:32.330 --> 32:37.870]  So unless you have two Actis devices, independently Actis devices.
[32:39.790 --> 32:45.850]  So two Actis devices does not mean that you have two different Actis devices.
[32:45.850 --> 32:55.170]  So when you update one and you update also the other one, the failure could be on both of the same systems.
[32:55.410 --> 32:58.370]  Also they are connected in the same network.
[32:59.150 --> 33:13.290]  When maybe an attacker is able to attack on the network area the devices, they will most likely be successful on both devices.
[33:13.290 --> 33:19.150]  But yeah, you need two devices, then you are fulfilling your requirement, that's it.
[33:19.670 --> 33:27.290]  So it's a navigation geographic information system for the nautical navigation of the ship.
[33:27.310 --> 33:30.110]  So you have the position, heading, speed.
[33:30.350 --> 33:37.450]  You have also deep information about the waterways there and also the waterways itself.
[33:37.450 --> 33:47.790]  And you can have overlays on the Actis system from the NADAR, from NAVTEX, from the AIS system and so on.
[33:47.790 --> 34:01.750]  So the Actis is more or less the main navigation system and you can have as an overlay, as an additional layer on top all the other systems like the radar.
[34:05.920 --> 34:11.120]  This is then a picture of the Actis system, how it looks like.
[34:11.760 --> 34:23.320]  This is in the port of Barcelona, for example, where you see then where the one ship is and all the other ships are also.
[34:24.340 --> 34:29.880]  These are here, these small things here, they are laying in the docks.
[34:29.920 --> 34:34.140]  Here is a big cruise ship and here is also another cruise ship.
[34:34.140 --> 34:40.440]  And you have also the waterways, how to travel into the different areas there.
[34:42.380 --> 34:49.960]  And here, the transats from the old system from 2011.
[34:49.960 --> 35:01.540]  You see here, it's in Windows XP with default credentials because it's not connected to the internet and never changed it.
[35:01.540 --> 35:08.780]  So it's a Windows XP system and the login name are as in the documentation of the system.
[35:09.280 --> 35:17.300]  So people installed it and it's working like that. So nobody takes care about that.
[35:17.900 --> 35:30.000]  So it's more likely when you have access to the network of it or accidentally someone connect the network to the other networks, then it would be not so good idea.
[35:31.040 --> 35:36.500]  You can have also access on the Actis to all the NMEA messages.
[35:37.080 --> 35:42.200]  You have special Modi where you can look at these informations.
[35:42.680 --> 35:45.250]  But these informations you will also see on the network.
[35:46.560 --> 35:48.700]  Yeah, the NMEA data is like that.
[35:49.640 --> 35:56.920]  So two weeks ago I did a last audit on a 45 meter yacht.
[35:57.540 --> 36:02.980]  And I was connecting them also to the network and then I found a nice information.
[36:02.980 --> 36:16.780]  So one of the things what I do mostly is then sniff all the data and then using at first the statistical diagrams.
[36:16.780 --> 36:23.800]  So to get an overview who is talking, how many packets are going to that.
[36:23.940 --> 36:29.940]  And then here in this picture you see there is only one public IP address.
[36:30.400 --> 36:34.720]  And it's only six packets in that time frame where I was scaling.
[36:34.980 --> 36:41.020]  So in this case it is a Foruno Actis system. It's not a Transas, it's a Foruno.
[36:41.020 --> 36:46.040]  So Transas is the major player, Foruno is the second biggest in that area.
[36:46.040 --> 36:51.420]  So it doesn't matter. So technically they are doing all the same.
[36:53.520 --> 36:57.240]  Yeah, this internet connection paid my attention.
[36:57.240 --> 37:00.760]  And then I was looking, wow, what is this?
[37:01.380 --> 37:04.720]  It's going to that address.
[37:04.720 --> 37:07.980]  So I used a filter to look it up.
[37:07.980 --> 37:10.960]  And yeah, it is an NTP protocol.
[37:12.760 --> 37:17.220]  So the Actis system is connected to the normal network.
[37:18.560 --> 37:27.900]  And then it makes a network time protocol call to an NTP server on the internet.
[37:28.180 --> 37:31.440]  Why? So why it is?
[37:31.440 --> 37:35.800]  Why should the bridge network connected to the internet?
[37:35.800 --> 37:37.940]  So normally it makes no sense.
[37:38.220 --> 37:42.960]  Especially not to get the network time from the internet.
[37:43.000 --> 37:48.160]  It could be accurate, but what is when the network is not available?
[37:49.280 --> 37:51.760]  And we have GPS systems on board.
[37:51.760 --> 37:56.460]  So why don't take the GPS time as the time source?
[37:56.960 --> 37:59.780]  So I then introduced the captain.
[37:59.780 --> 38:03.760]  So hey, just take a network time protocol server.
[38:03.760 --> 38:10.360]  It's a small box. It gets the time information from the GPS system.
[38:10.440 --> 38:13.380]  And it's then acting as an NTP server.
[38:13.380 --> 38:16.900]  And then you can say the Actis, okay, this is your NTP server.
[38:16.900 --> 38:18.520]  Take the time from that.
[38:19.140 --> 38:23.600]  And at this point, you don't need an internet connection anymore.
[38:28.460 --> 38:32.920]  SATCOM is another thing I had in my last talk.
[38:32.920 --> 38:34.980]  A couple of vulnerabilities.
[38:34.980 --> 38:40.060]  So yesterday I looked up some systems there.
[38:40.420 --> 38:43.100]  And there are still a couple of them online.
[38:44.220 --> 38:45.960]  Why SATCOM?
[38:45.960 --> 38:49.820]  So you have offshore internet access via SATCOM.
[38:50.100 --> 38:52.900]  Patching mostly not.
[38:53.140 --> 38:57.100]  And still many old versions are online and out there.
[38:58.700 --> 39:04.500]  So technically you have a satellite antenna dish on top of the ship.
[39:04.500 --> 39:07.200]  With an ICU unit for that.
[39:07.200 --> 39:15.760]  And then under that you have a computer that's connected over a media exchange protocol system.
[39:16.800 --> 39:18.860]  Then to the ICU.
[39:20.980 --> 39:22.560]  That's simple.
[39:22.560 --> 39:26.320]  It's a little bit more complicated, but that's how it looks like.
[39:28.140 --> 39:37.400]  You can look on Shodan for a couple of satellite dishes that are vulnerable to things.
[39:37.620 --> 39:44.660]  And the thing that I found was in Cobham CTEL systems in the MXP web server.
[39:45.620 --> 39:49.160]  And this is the search string where you use it.
[39:49.160 --> 39:52.740]  So this was 2018.
[39:52.740 --> 39:55.620]  I had then 21 online.
[39:55.620 --> 40:02.740]  So at that time I was thinking, okay, there are a couple of them online, but not that much.
[40:02.740 --> 40:06.040]  But I find out a reason why it is.
[40:06.780 --> 40:08.740]  I will explain later.
[40:11.020 --> 40:15.500]  Yesterday I looked up, there are still 19 online.
[40:15.520 --> 40:21.080]  Not really 19, you have here on port 80 15 devices that are still accessible.
[40:21.600 --> 40:23.280]  Why not more?
[40:24.700 --> 40:30.500]  Yeah, also Shodan has a live ship tracker.
[40:30.900 --> 40:38.620]  So all the systems that are connected over VZ, we are available over the ship tracker.shodan.io.
[40:38.640 --> 40:47.280]  But Shodan has decided, I don't know why, but yeah, it's okay to switch off those systems.
[40:47.280 --> 40:50.560]  So the ship tracker is currently not anymore there.
[40:50.560 --> 41:00.240]  So then I was thinking, okay, why not more set devices are in the internet to find?
[41:00.440 --> 41:08.920]  And in my last audit, I also found out that depending on the VZ provider that you get,
[41:08.920 --> 41:17.620]  they were using a network address translating, IP masquerading they're using.
[41:17.620 --> 41:24.820]  So you have a private IP address on your modem device that's connecting over the satellite.
[41:25.220 --> 41:33.340]  And the internet provider over satellite is making then the connection to the internet.
[41:33.340 --> 41:39.580]  So it's hiding all the ships that are using the VZ to the internet.
[41:39.840 --> 41:42.220]  So it's a good decision, yes.
[41:42.220 --> 41:53.400]  But on the other hand, it's shifting the attack level from the bad guys in the internet to maybe bad guys at the internet providers.
[41:53.700 --> 42:04.220]  So the internet provider has still the ability, if they want, or if they have to do by what kind of government,
[42:05.240 --> 42:11.860]  they maybe have then access to the ship network over the internet because of the vulnerabilities that are still there.
[42:11.860 --> 42:16.140]  So, yeah, the device is not visible to the internet.
[42:17.220 --> 42:24.520]  And it gives the owner or the crew a deceptive security because, hey, my device is not findable over the internet.
[42:24.600 --> 42:29.820]  But they are still there and the provider could exploit it now.
[42:29.860 --> 42:34.800]  Or someone else who is working at the provider level.
[42:37.340 --> 42:44.520]  And most of the devices that you find also using always the same default credentials.
[42:44.520 --> 42:47.880]  So install it and change it.
[42:49.560 --> 42:54.100]  Yeah, coming more or less to the end of my talk.
[42:55.120 --> 43:00.900]  Yeah, I show a little bit more on Wireshark demos now.
[43:01.580 --> 43:10.400]  But all of my tools I will publish on GitHub, also the decoders later on for Wireshark.
[43:10.400 --> 43:17.100]  So I'm working on now to make some kind of active decoder for the datagrams that you see.
[43:17.100 --> 43:21.480]  Because in Wireshark it's very hard to find out how this looks like.
[43:21.940 --> 43:23.480]  Let's have a look for that.
[43:23.480 --> 43:26.680]  So we have Wireshark here.
[43:28.740 --> 43:35.600]  So this is from one of my first network audits we have here.
[43:36.000 --> 43:39.800]  Many UDP protocols.
[43:39.800 --> 43:45.080]  So what you see, I always use the statistics.
[43:45.740 --> 43:49.800]  Let's look for the endpoints for example.
[43:51.840 --> 43:57.170]  And then you see... yeah, no magnifying here.
[44:09.160 --> 44:11.200]  Nope, not working.
[44:11.660 --> 44:16.990]  You see then here the connections, but it's ok.
[44:18.620 --> 44:24.260]  The thing that you see here is that we can make bigger.
[44:25.120 --> 44:27.740]  Most of the information are UDP.
[44:27.740 --> 44:33.080]  So the active is working with UDP broadcast.
[44:33.080 --> 44:37.660]  They don't care about and acknowledge if the information is gone.
[44:37.660 --> 44:43.200]  It's more or less a real-time traffic protocol, you can say.
[44:43.780 --> 44:51.020]  So each device is broadcasting their information as a UDP broadcast on the network.
[44:51.020 --> 44:56.140]  And the design of the protocol is then in that.
[44:56.140 --> 45:08.600]  So when we look here, for example, for the UDP stream, then you see here a couple of information.
[45:10.660 --> 45:12.000]  Look at this.
[45:15.010 --> 45:16.350]  Oh, we have to wait.
[45:20.180 --> 45:29.030]  I picked one of the biggest nodes.
[45:30.630 --> 45:35.810]  Yeah, this is how it is looking then, like that.
[45:36.030 --> 45:43.510]  But you then see here NMEA POS satellite GPS information.
[45:43.790 --> 45:51.110]  So in this datagram, it's 462 bytes.
[45:53.960 --> 45:59.900]  There are the GPS information that the GPS receiver, for example, gets.
[45:59.900 --> 46:10.240]  So the thing is now to write a decoder for that data here that you can make as a Wireshark plug-in.
[46:10.720 --> 46:13.780]  Information is more visible like that.
[46:13.900 --> 46:21.780]  On the other hand, I have here also another network from the Furuno network.
[46:21.780 --> 46:24.200]  It's a little bit more readable.
[46:25.760 --> 46:33.940]  Here you see already something from the AIS system in that case.
[46:34.880 --> 46:39.380]  And we just can take a UDP lookup.
[46:40.620 --> 46:48.130]  And here you see a couple of error messages.
[46:49.610 --> 46:57.730]  Receiving channel 2 malfunction, TX malfunction, external EPFS lost, and so on.
[46:57.730 --> 47:07.050]  So at that time when I was sniffing on the network, there was an NMEA network gateway that was faulty.
[47:07.110 --> 47:10.090]  And a couple of messages are missing.
[47:10.950 --> 47:15.510]  Also you can find errors by analyzing those protocols.
[47:15.510 --> 47:20.610]  So that was the idea to provide a filter for that.
[47:21.650 --> 47:30.370]  And also at the Furuno network, everything is here in UDP broadcast.
[47:30.650 --> 47:33.370]  Do I find another nice one?
[47:35.870 --> 47:39.390]  This is, for example, an AIS message.
[47:41.950 --> 47:52.870]  A malfunction message. Another one. Do I have a nice one?
[47:54.750 --> 47:59.550]  Here we have a GPS information with the coordinates and so on.
[48:00.730 --> 48:04.590]  Okay, let's switch back to the presentation.
[48:05.750 --> 48:10.530]  Once I have it ready, I put it on my GitHub in the Maritime channel.
[48:12.370 --> 48:14.850]  I have a couple of other sections there.
[48:14.850 --> 48:22.950]  You find some X-ray pictures from devices, IoT devices that I analyze, and so on.
[48:22.950 --> 48:25.990]  Feel free to look at it, and so on.
[48:26.790 --> 48:29.970]  Coming to the end, my content details.
[48:29.970 --> 48:33.170]  I have to say thank you for watching my talk.
[48:33.170 --> 48:39.070]  And have a nice DEF CON 28. Stay safe.
[48:39.810 --> 48:42.950]  And when you go out, always wear your mask.
[48:42.950 --> 48:44.990]  Goodbye and thank you.
